The present disclosure relates to security for online systems and services. In particular, the present disclosure relates to systems and methods for compromised password mitigation for online systems. Still more particularly, the present disclosure relates to a system and method for compromised hashed password mitigation at login time for online systems.
The popularity and use of the Internet, web browsers, social networks and other types of electronic communication has grown dramatically in recent years. In particular, there are number of online systems or services such as social networks, email, micro blogging, new feeds, and various other third party web sites. While these systems were once limited to sending messages, the systems can now be used to post messages, post photos or videos, micro blog, retrieve news content, retrieve web content and obtain presence information. As a prerequisite to accessing such systems, they typically require that the user provide a user name or login and password before access is granted.
The online services also use usernames and passwords for identifying their users. These passwords are often stored in an encrypted (hashed) form in their databases. Sometimes, these databases get compromised by external attackers and leaked publicly. Even if the original service provider invalidates the leaked accounts, many users share usernames and passwords among different websites or services. Such shared passwords allow malicious attackers to use stolen passwords on other sites, if they can reverse the hashes.
Owners of other sites cannot easily mitigate such attacks because they store their users' passwords using different hashing algorithms or using a unique salt. In order to mitigate such attacks, owners of other sites may either attempt to reverse the hashes, which is computationally intensive and not guaranteed to work, or disable all leaked accounts without knowing if the passwords have been reused, causing a bad experience for the users.
In some cases, owners of sites may also store their passwords in plain text, but in these cases they may be subject to severe compromise of their database.